CLAIMS 

What is claimed is: 

1 . A method to provide secure key selection comprising: 

transmitting a license containing a product key of a watercrypted content and a 
client identifier to a secure device for storage; 

transmitting an entitlement control message containing a plurality of content keys 
associated with said watercrypted content to said secure device, together with a request to 
provide a session content key from said plurality of content keys, said session content key 
to be used to decrypt said watercrypted content; and 

receiving said session content key from said secure device in response to said 
request. 

2. The method according to claim 1, wherein said license is encrypted with a public 
key of said secure device to allow said secure device to access said license. 

3. The method according to claim 1, wherein said license is encrypted with a secret 
key of said secure device to allow said secure device to access said license. 

4. The method according to claim 1 , further comprising: 

establishing a secure channel to communicate securely with said secure device. 

5. The method according to claim 4, wherein said establishing further comprises: 
encrypting a transport key with a personal public key; and 
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transmitting said transport key to said secure device. 

6. The method according to claim 5, wherein said receiving further comprises: 
receiving said session content key encrypted with said transport key; and 
decrypting said session content key to be used in decrypting said watercrypted 

content. 

7. The method according to claim 1, wherein said secure device is a smart card 
device. 

8. The method according to claim 1, further comprising receiving said license from a 
content server which distributed said watercrypted content. 

9. The method according to claim 1, further comprising receiving said license from 
an entity connected to a content server which distributed said watercrypted content, said 
entity storing said client identifier and being configured to encrypt said product key with a 
public key of said secure device. 

10. The method according to claim 1, further comprising receiving said entitlement 
control message from a content server which distributed said watercrypted content. 

11. A method to provide secure key selection comprising: 

storing a license containing a product key of a watercrypted content and a client 
identifier from a decoder; 
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receiving an entitlement control message containing a plurality of content keys 
associated with said watercrypted content from said decoder, together with a request to 
provide a session content key from said plurality of content keys, said session content key 
to be used to decrypt said watercrypted content; 

selecting said session content key using said product key and said client identifier 
from said license; and 

transmitting said session content key to said decoder in response to said request. 

12. The method according to claim 1 1, wherein said license is encrypted with a 
personal public key to allow access to said license. 

13. The method according to claim 12, further comprising decrypting said license 
using said personal public key. 

14. The method according to claim 1 1, wherein said selecting further comprises: 
receiving a transport key encrypted with a public key of said decoder; and 
encrypting said session content key with said transport key. 

15. The method according to claim 14, wherein said transmitting further comprises 
transmitting said session content key encrypted with said transport key to said decoder. 

16. An apparatus to provide secure key selection comprising: 

means for transmitting a license containing a product key of a watercrypted 
content and a client identifier to a secure device for storage; 
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means for transmitting an entitlement control message containing a plurality of 
content keys associated with said watercrypted content to said secure device, together 
with a request to provide a session content key from said plurality of content keys, said 
session content key to be used to decrypt said watercrypted content; and 

means for receiving said session content key from said secure device in response 
to said request. 

17. The apparatus according to claim 16, wherein said license is encrypted with a 
public key of said secure device to allow said secure device to access said license. 

18. The apparatus according to claim 16, wherein said license is encrypted with a 
secret key of said secure device to allow said secure device to access said license. 

19. The apparatus according to claim 16, further comprising: 

means for establishing a secure channel to communicate securely with said secure 

device. 

20. The apparatus according to claim 19, further comprising: 

means for encrypting a transport key with a personal public key; and 
means for transmitting said transport key to said secure device. 

2 1 . The apparatus according to claim 20, further comprising: 
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means for receiving said session content key encrypted with said transport key; 

and 

means for decrypting said session content key to be used in decrypting said 
watercrypted content. 

22. The apparatus according to claim 16, wherein said secure device is a smart card 
device. 

23. The apparatus according to claim 16, further comprising means for receiving said 
license from a content server which distributed said watercrypted content. 

24. The apparatus according to claim 16, further comprising means for receiving said 
license from an entity connected to a content server which distributed said watercrypted 
content, said entity storing said client identifier and being configured to encrypt said 
product key with a public key of said secure device. 

25. The apparatus according to claim 16, further comprising means for receiving said 
entitlement control message from a content server which distributed said watercrypted 
content. 

26. An apparatus to provide secure key selection comprising: 

means for storing a license containing a product key of a watercrypted content and 
a client identifier from a decoder; 
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means for receiving an entitlement control message containing a plurality of 
content keys associated with said watercrypted content from said decoder, together with a 
request to provide a session content key from said plurality of content keys, said session 
content key to be used to decrypt said watercrypted content; 

means for selecting said session content key using said product key and said client 
identifier from said license; and 

means for transmitting said session content key to said decoder in response to said 
request. 

27. The apparatus according to claim 26, wherein said license is encrypted with a 
personal public key to allow access to said license. 

28. The apparatus according to claim 27, further comprising means for decrypting 
said license using said personal public key. 

29. The apparatus according to claim 26, further comprising: 

means for receiving a transport key encrypted with a public key of said decoder; 

and 

means for encrypting said session content key with said transport key. 

30. The apparatus according to claim 29, further comprising means for transmitting 
said session content key encrypted with said transport key to said decoder. 
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31. A computer readable medium containing executable instructions, which, when 
executed in a processing system, cause said processing system to perform a method to 
provide secure key selection comprising: 

transmitting a license containing a product key of a watercrypted content and a 
client identifier to a secure device for storage; 

transmitting an entitlement control message containing a plurality of content keys 
associated with said watercrypted content to said secure device, together with a request to 
provide a session content key from said plurality of content keys, said session content key 
to be used to decrypt said watercrypted content; and 

receiving said session content key from said secure device in response to said 
request. 

32. A computer readable medium containing executable instructions, which, when 
executed in a processing system, cause said processing system to perform a method to 
provide secure key selection comprising: 

storing a license containing a product key of a watercrypted content and a client 
identifier from a decoder; 

receiving an entitlement control message containing a plurality of content keys 
associated with said watercrypted content from said decoder, together with a request to 
provide a session content key from said plurality of content keys, said session content key 
to be used to decrypt said watercrypted content; 

selecting said session content key using said product key and said client identifier 
from said license; and 

transmitting said session content key to said decoder in response to said request. 
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33. An apparatus to provide secure key selection comprising: 
a decoder; and 

a secure device coupled to said decoder to store a license sent from said decoder, 
said license containing a product key of a watercrypted content and a client identifier, to 
receive an entitlement control message containing a plurality of content keys associated 
with said watercrypted content from said decoder, together with a request to provide a 
session content key from said plurality of content keys, said session content key to be 
used to decrypt said watercrypted content, to select said session content key using said 
product key and said client identifier from said license, and to transmit said session 
content key to said decoder in response to said request. 

34. The apparatus according to claim 33, wherein said license is encrypted with a 
public key of said secure device to allow said secure device to access said license. 

35. The apparatus according to claim 33, wherein said license is encrypted with a 
secret key of said secure device to allow said secure device to access said license 

36. The apparatus according to claim 33, wherein said decoder further establishes a 
secure channel to communicate securely with said secure device. 

37. The apparatus according to claim 36, wherein, in establishing said secure channel, 
said decoder further encrypts a transport key with a decoder public key and transmits said 
transport key to said secure device. 
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38. The apparatus according to claim 37, wherein said decoder further receives said 
session content key encrypted with said transport key and decrypts said session content 
key to be used in decrypting said watercrypted content. 

39. The apparatus according to claim 33, wherein said secure device is a smart card 
device. 

40. The apparatus according to claim 33, wherein said decoder further receives said 
license from a content server, which distributed said watercrypted content. 

41. The apparatus according to claim 33, wherein said decoder further receives said 
license from an entity connected to a content server which distributed said watercrypted 
content, said entity storing said client identifier and being configured to encrypt said 
product key with a public key of said secure device. 

42. The apparatus according to claim 33, wherein said decoder further receives said 
entitlement control message from a content server, which distributed said watercrypted 
content. 

43. The apparatus according to claim 34, wherein said secure device further decrypts 
said license using said public key. 
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44. The apparatus according to claim 33, wherein said secure device further receives a 
transport key encrypted with a decoder public key of said decoder and encrypts said 
session content key with said transport key. 

45. The apparatus according to claim 44, wherein said secure device further transmits 
said session content key encrypted with said transport key to said decoder. 
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